aboutsummaryrefslogtreecommitdiff
path: root/debian/patches/1210-CVE-2015-3418-dix-Allow-zero-height-PutImage-re.full.patch
diff options
context:
space:
mode:
Diffstat (limited to 'debian/patches/1210-CVE-2015-3418-dix-Allow-zero-height-PutImage-re.full.patch')
-rw-r--r--debian/patches/1210-CVE-2015-3418-dix-Allow-zero-height-PutImage-re.full.patch41
1 files changed, 0 insertions, 41 deletions
diff --git a/debian/patches/1210-CVE-2015-3418-dix-Allow-zero-height-PutImage-re.full.patch b/debian/patches/1210-CVE-2015-3418-dix-Allow-zero-height-PutImage-re.full.patch
deleted file mode 100644
index e0bb00694..000000000
--- a/debian/patches/1210-CVE-2015-3418-dix-Allow-zero-height-PutImage-re.full.patch
+++ /dev/null
@@ -1,41 +0,0 @@
-commit dba779d9f99ab2fc6bf05c78515dbdd82840cadd
-Author: Keith Packard <keithp@keithp.com>
-Date: Fri May 1 13:09:24 2015 +0200
-
- dix: Allow zero-height PutImage requests (fix for X.Org's CVE-2015-3418).
-
- The length checking code validates PutImage height and byte width by
- making sure that byte-width >= INT32_MAX / height. If height is zero,
- this generates a divide by zero exception. Allow zero height requests
- explicitly, bypassing the INT32_MAX check.
-
- Fix for regression introduced by fix for CVE-2014-8092.
-
- v2: backports to nx-libs 3.6.x (Mike Gabriel)
- v3: port to NXdispatch.c rather than dispatch.c (Mike DePaulo)
- v4: backport v3 to nx-libs 3.5.0.x (Mihai Moldovan)
-
- Signed-off-by: Keith Packard <keithp@keithp.com>
-
---- a/nx-X11/programs/Xserver/dix/dispatch.c
-+++ b/nx-X11/programs/Xserver/dix/dispatch.c
-@@ -2071,7 +2071,7 @@ ProcPutImage(register ClientPtr client)
-
- tmpImage = (char *)&stuff[1];
- lengthProto = length;
-- if (lengthProto >= (INT32_MAX / stuff->height))
-+ if (stuff->height != 0 && lengthProto >= (INT32_MAX / stuff->height))
- return BadLength;
-
- if (((((lengthProto * stuff->height) + (unsigned)3) >> 2) +
---- a/nx-X11/programs/Xserver/hw/nxagent/NXdispatch.c
-+++ b/nx-X11/programs/Xserver/hw/nxagent/NXdispatch.c
-@@ -2630,7 +2630,7 @@ ProcPutImage(client)
-
- tmpImage = (char *)&stuff[1];
- lengthProto = length;
-- if (lengthProto >= (INT32_MAX / stuff->height))
-+ if (stuff->height != 0 && lengthProto >= (INT32_MAX / stuff->height))
- return BadLength;
-
- if (((((lengthProto * stuff->height) + (unsigned)3) >> 2) +
generated by cgit v1.2.3 (git 2.25.1) at 2024-11-25 06:21:40 +0000